From 4bbba361fb93a37636b1b9cd6a9a8708af413d5b Mon Sep 17 00:00:00 2001 From: songnannan Date: Fri, 3 Jan 2020 10:04:54 +0800 Subject: [PATCH 1/2] bugfix about CVE-2018-20839.patch --- xorg-s11-server-CVE-2018-20839.patch | 111 +++++++++++++++++++++++++++ xorg-x11-server.spec | 7 ++ 2 files changed, 118 insertions(+) create mode 100644 xorg-s11-server-CVE-2018-20839.patch diff --git a/xorg-s11-server-CVE-2018-20839.patch b/xorg-s11-server-CVE-2018-20839.patch new file mode 100644 index 0000000..2dc56a5 --- /dev/null +++ b/xorg-s11-server-CVE-2018-20839.patch @@ -0,0 +1,111 @@ +From 53bea0794281173dacf1511664779b3dcdbafa7b Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 23 Jul 2019 10:32:11 +1000 +Subject: [PATCH] xfree86: always call KDSKBMODE on vt enter with logind + +Where we're running with systemd-logind integration we have to assume that +logind may change the KDSKBMODE while we're VT-switched away. If that happens +and we return, our keyboard input may leak to the console. + +Fix this by always calling K_OFF/K_RAW on VT switch back. We don't update +the current settings though, so on shutdown we will restore to settings we had +on init. Given the assumption is that if something messes with our vt, it will +mess again anyway, it's not worth the bother. + +Fixes #857 + +Signed-off-by: Peter Hutterer +--- + hw/xfree86/os-support/linux/linux.h | 1 + + hw/xfree86/os-support/linux/lnx_init.c | 44 ++++++++++++++------ + hw/xfree86/os-support/linux/systemd-logind.c | 2 + + 3 files changed, 34 insertions(+), 13 deletions(-) + +diff --git a/hw/xfree86/os-support/linux/linux.h b/hw/xfree86/os-support/linux/linux.h +index 83506fd38..7c9dd67bc 100644 +--- a/hw/xfree86/os-support/linux/linux.h ++++ b/hw/xfree86/os-support/linux/linux.h +@@ -28,5 +28,6 @@ + + int linux_parse_vt_settings(int may_fail); + int linux_get_keeptty(void); ++void linux_block_tty_kbd(void); + + #endif +diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c +index 111b3b4e4..fcf575149 100644 +--- a/hw/xfree86/os-support/linux/lnx_init.c ++++ b/hw/xfree86/os-support/linux/lnx_init.c +@@ -169,6 +169,36 @@ linux_get_keeptty(void) + return KeepTty; + } + ++void ++linux_block_tty_kbd(void) ++{ ++ static Bool first_time = TRUE; ++ int ret; ++ ++ if (xf86Info.ShareVTs) ++ return; ++ ++ /* disable kernel special keys and buffering */ ++ SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSKBMODE, K_OFF)); ++ if (ret < 0) ++ { ++ /* fine, just disable special keys */ ++ SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSKBMODE, K_RAW)); ++ if (ret < 0) ++ FatalError("xf86OpenConsole: KDSKBMODE K_RAW failed %s\n", ++ strerror(errno)); ++ ++ /* ... and drain events, else the kernel gets angry. This ++ * is only necessary once on init but not after every VT switch. ++ */ ++ if (first_time) ++ { ++ xf86SetConsoleHandler(drain_console, NULL); ++ first_time = FALSE; ++ } ++ } ++} ++ + void + xf86OpenConsole(void) + { +@@ -258,19 +288,7 @@ xf86OpenConsole(void) + tcgetattr(xf86Info.consoleFd, &tty_attr); + SYSCALL(ioctl(xf86Info.consoleFd, KDGKBMODE, &tty_mode)); + +- /* disable kernel special keys and buffering */ +- SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSKBMODE, K_OFF)); +- if (ret < 0) +- { +- /* fine, just disable special keys */ +- SYSCALL(ret = ioctl(xf86Info.consoleFd, KDSKBMODE, K_RAW)); +- if (ret < 0) +- FatalError("xf86OpenConsole: KDSKBMODE K_RAW failed %s\n", +- strerror(errno)); +- +- /* ... and drain events, else the kernel gets angry */ +- xf86SetConsoleHandler(drain_console, NULL); +- } ++ linux_block_tty_kbd(); + + nTty = tty_attr; + nTty.c_iflag = (IGNPAR | IGNBRK) & (~PARMRK) & (~ISTRIP); +diff --git a/hw/xfree86/os-support/linux/systemd-logind.c b/hw/xfree86/os-support/linux/systemd-logind.c +index 93428ba73..577548e44 100644 +--- a/hw/xfree86/os-support/linux/systemd-logind.c ++++ b/hw/xfree86/os-support/linux/systemd-logind.c +@@ -255,6 +255,8 @@ systemd_logind_vtenter(void) + xf86VTEnter(); + info->vt_active = TRUE; + ++ linux_block_tty_kbd(); ++ + /* Activate any input devices which were resumed before the drm nodes */ + for (pInfo = xf86InputDevs; pInfo; pInfo = pInfo->next) + if ((pInfo->flags & XI86_SERVER_FD) && pInfo->fd != -1) +-- +2.22.2 diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 4957bfa..8a668ce 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -54,6 +54,7 @@ Patch10: 0001-glx-check-for-indirect-context-in-CreateContextAttri.patch Patch6000: 0026-glamor_egl-Don-t-initialize-on-llvmpipe.patch Patch6001: 0027-glamor-egl-Avoid-crashing-on-broken-configurations.patch +Patch6003: xorg-s11-server-CVE-2018-20839.patch BuildRequires: audit-libs-devel autoconf automake bison dbus-devel flex flex-devel git BuildRequires: systemtap-sdt-devel libtool pkgconfig xorg-x11-util-macros xorg-x11-proto-devel @@ -288,6 +289,12 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_libdir}/xorg/protocol.txt %changelog +* Thu Jan 3 2019 openEuler Buildteam - 1.20.1-11 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:bugfix about CVE-2018-20839.patch + * Tue Dec 31 2019 openEuler Buildteam - 1.20.1-11 - Type:bugfix - ID:NA -- Gitee From 1c2aadf68231fbb04133a04b4fa0cb9900e004a5 Mon Sep 17 00:00:00 2001 From: songnannan Date: Fri, 3 Jan 2020 10:08:18 +0800 Subject: [PATCH 2/2] bugfix about CVE-2018-20839.patch --- xorg-x11-server.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 8a668ce..72e0eab 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -16,7 +16,7 @@ Name: xorg-x11-server Version: 1.20.1 -Release: 11 +Release: 12 Summary: X.Org X11 X server License: MIT and GPLv2 URL: https://www.x.org @@ -289,7 +289,7 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete %{_libdir}/xorg/protocol.txt %changelog -* Thu Jan 3 2019 openEuler Buildteam - 1.20.1-11 +* Thu Jan 3 2019 openEuler Buildteam - 1.20.1-12 - Type:bugfix - ID:NA - SUG:NA -- Gitee